[c-nsp] Cisco Security Advisory: Cisco Expressway Series and TelePresence VCS Denial of Service Vulnerability

Wed Jan 25 11:34:06 EST 2017

A vulnerability in the received packet parser of Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) software could allow an unauthenticated, remote attacker to cause a reload of the affected system, resulting in a denial of service (DoS) condition.

The vulnerability is due to insufficient size validation of user-supplied data. An attacker could exploit this vulnerability by sending crafted H.224 data in Real-Time Transport Protocol (RTP) packets in an H.323 call. An exploit could allow the attacker to overflow a buffer in a cache that belongs to the received packet parser, which will result in a crash of the application, resulting in a DoS condition.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170125-expressway
-----BEGIN PGP SIGNATURE-----

iQIVAwUBWIeDZq89gD3EAJB5AQJoOhAAm8pNabl5Kr9d+LAe4IluOsqyeHf2gMg0
drcfsdA36rLpGDHkjNrY8bLkOpC1CG+XM0DNTcRztggya05W4EiI26DmFyxlIWyR
bVI6h5VcTO4TpqNRrIYq9+iqEV2oKKTLNcBn5YCS0qU2dwGoN882cFoUsgKQcnCj
etLfzRByCEpAye02Lz8bZFRuRdPe98GCqxo7mSnZzxQNtiUfN1LfUvlryoeDh01J
d0oDQy8fsOtoKfWJi6DtZwZO79ySJ3Z6FDp03Xd2OqJmWNCMfYYkmzKMrfMI/Jyo
l1Ze70epM9SJyxZp0h5dsSDryCMQdBvdwlhQuk84Dnu1hZOTcM2d88KhWIEpiUGo
RcVQsAHMMkqHZYz14uy1bRc5Y0QxRu8WooSVQsDofSOJD/p33aDGudgnPZwyEvQQ
V2w5oQ29jEiInPd+sadpBUtVcq2/EI79qJK9PaLmx7ML3lZmKynXfwCyWbS5o91q
orsl7/+/EH+ty3VKF0c6x8n5tnRMTEfaD+bL7akjGaespehEL7t5qQiIHIBxWleX
jXpYh5NeoVPGARMoQt6KtDsbjPY0I4nVbb5kTRoKMQ/9kZ3H0FAwxUwkKAnEVt6C
g7USmB32lBaSCqnKAuRzOVz8bSy/6rdG9Br7bTZ8ezQatOCZBgmu5cBZ5yNVTxsb
aifANu7jBdc=
=fBku
-----END PGP SIGNATURE-----